Services

What we do

Everything we deliver is backed by patterns we run in production on our own platform. No theoretical frameworks — just engineering approaches that we know work, because we use them ourselves.

Microsoft 365 — migration, governance and Copilot readiness

End-to-end Microsoft 365 work for organisations running large, complex estates. Whether you’re mid-merger, planning a tenant consolidation, trying to get a grip on SharePoint sprawl, or figuring out what Copilot will actually expose before you turn it on.

  • Tenant-to-tenant migrations — full discovery across users, mailboxes, OneDrive, SharePoint, Teams, Groups and licensing, with wave planning and risk assessment tailored to your regulatory posture
  • SharePoint governance — information architecture reviews, permission sprawl remediation, retention and sensitivity labels, site lifecycle policies, and hub/spoke restructuring for organisations whose SharePoint has grown faster than the plan
  • M365 Copilot readiness assessments — the honest version of the Copilot readiness conversation. We look at what data Copilot will actually be able to surface given current permissions, where oversharing risks are concentrated, what needs to be fixed before the licences land, and what the realistic licence scoping should be
  • Change management and communications — we can draft user-facing content or hand the data to your in-house comms team, linked directly to migration scope
  • Delivery via Novalysis — our own migration planning product, deployed into your tenant as an Azure managed application. You can also license it directly if you’d rather run it yourselves

Azure platform engineering

Building and operating cloud platforms on Azure, with a strong bias towards Infrastructure as Code, managed identities, and network isolation.

  • Hub-and-spoke architectures for multi-tenant SaaS and regulated workloads
  • Azure Marketplace managed application delivery for ISVs
  • Bicep-based infrastructure with full CI/CD and what-if preview pipelines
  • API Management configuration, JWT-based tenant routing, and policy authoring
  • SQL on Azure with Entra-only authentication, per-customer isolation, and automated schema management

Azure Trusted Research Environments

Design, build and operation of Trusted Research Environments (TREs) and Secure Data Environments (SDEs) on Azure — for NHS trusts, universities, genomics platforms, and other organisations that need to make sensitive datasets available to researchers without giving up control of the data.

  • Per-project workspace isolation with dedicated compute, storage and networking
  • Airlock patterns for controlled data ingress and egress
  • Integration with approval workflows, DPIAs and information governance boards
  • Layered identity and access control aligned with the UK NHS Secure Data Environment model
  • Support for genomics pipelines, statistical computing, and LLM/AI workloads inside the safe haven
  • Audit trails sufficient for research governance committees and Section 251 approvals

We’ve built these for real research use cases — not theoretical reference architectures — and can help with anything from a first-time TRE build to remediation of an existing environment that’s struggling to scale.

Compliance and security consulting

For organisations in the NHS, higher education, finance, or other regulated sectors where compliance posture is a blocker for everything else.

  • NHS Data Security and Protection Toolkit — alignment work, self-assessment preparation, and gap remediation
  • DPIA support — we’ve written the Data Protection Impact Assessments behind real deployments and can help you shape yours
  • Least-privilege identity — per-domain managed identities, tiered permission models, and access control matrices
  • Network isolation — VNet-integrated Function Apps, Private Endpoints, layered egress filtering
  • Audit and response — logging pipelines, Defender for Cloud configuration, and incident response runbooks

AI-assisted operations and agentic workflows

Using Azure OpenAI, the Model Context Protocol (MCP), and Azure AI Foundry to put genuinely useful AI into production operations — not chat toys, but agents that do real work against real systems.

We build these for clients, and we also run them ourselves. Our own platform uses agentic workflows for task orchestration, automated triage of monitoring alerts, and AI-assisted communications drafting — all driven by agents exposing tools via MCP over REST, authenticated through APIM with per-tenant scoping.

  • Agentic workflow design — identifying where an agent adds genuine value (and where it doesn’t), mapping tool surfaces, and scoping authority boundaries
  • MCP server implementation — exposing existing REST APIs as MCP tools, or building new tool servers with proper auth, logging and audit
  • Agent orchestration on Azure AI Foundry — including long-running agents via Durable Functions, with human-in-the-loop approval steps where they’re needed
  • Monitoring and incident response pipelines — alerts into GitHub issues, AI triage, automated assignment to the right engineer
  • Operations automation — agents that handle routine platform work safely, with clear audit trails and reversible actions

We’re conservative about where agents belong — we don’t bolt them onto things that don’t need them — but where they fit, they fit well, and we can show you the ones we’re running in production today.

How engagements typically work

We prefer fixed-scope, fixed-price work wherever possible. For longer engagements we’ll quote on a time-and-materials basis with clear milestones and regular written status updates.

Every piece of work is delivered by the same senior engineers you’ll meet in the scoping conversation. Nothing gets handed off to a delivery team you’ve never heard of.

Tell us what you’re trying to do and we’ll tell you honestly whether we can help.